top | item 37884846

(no title)

kaelinl | 2 years ago

This, in turn, will spawn user scripts which work around the detection. Any client-side solution will be an arms race between Google and user script/adblock devs. The only real way to prevent it is to withhold the video stream from the CDN until the client has streamed the full ad and/or bake it into the video stream. My impression is that Twitch does this for its live streams (although not VODs).

discuss

serf|2 years ago

yeah.

given that in-stream ads still have blocking/ignoring methods I think that if this arms race keeps going that ultimately the data (video, whatever) is going to be stuffed behind some hard authentication barrier of some sort -- and then traditional piracy methods will take over like single-user-rebroadcast/etc.

Aurornis|2 years ago

The number of people who will do all the things necessary to play in that arms race gets smaller and smaller with each extra difficulty.

In the end, if the only way to block the ads is to have a setup so complicated that only 1 in 10,000 people would be able and willing to maintain it, that’s basically perfect. The people who will spend hours and hours perfecting and maintaining their ad blocking setup were never going to buy premium anyway and they’re negligible drains on resources.

losteric|2 years ago

I look forward to my browser-based TiVo, buffering videos to ship over ads just like in the 00s... TV started as advertising channels, it's not surprising YouTube converges towards the cesspool of cable TV.

eertami|2 years ago

Well if they copy Twitch I suspect it will be circumvented very quickly. My adblock works just fine for Twitch, I do not see any adverts (unless I open using incognito).

argiopetech|2 years ago

I've enabled uBlock Origin in Incognito mode as well. Highly recommended unless you have a compelling reason not to.

lakomen|2 years ago

Ublock isn't working for me on twitch.

brucethemoose2|2 years ago

Another option is to require Chrome for playback outside of authenticated apps, and lock Chrome down.

TBH baking it into the video stream is probably the easiest path. The whole video doesn't have to be re-encoded if the ad is spliced in. This is a "soft lockdown" since the ad can theoretically be manually skipped by the user, but its probably good enough.

drdaeman|2 years ago

I wonder when they’ll completely forgo HTML and will just start serving giant polymorphic/obfuscated WebAssembly blob that would perform all the rendering

dylan604|2 years ago

baking into the video stream loses their ability to auction off ads in realtime to customize ads per viewer based on all of the analytics they've hoovered up on that viewer. they aren't doing the hoovering to go back to old school pre-determined ad placement

josephcsible|2 years ago

> Another option is to require Chrome for playback outside of authenticated apps, and lock Chrome down.

I really hope that that would be enough to finally coax the antitrust regulators into doing something.

paulmd|2 years ago

> This, in turn, will spawn user scripts which work around the detection. Any client-side solution will be an arms race between Google and user script/adblock devs

No, you can't adblock remote attestation. Trust me, the whole idea is cryptographically sound (with a proper implementation of course), people have been building out the remote attestation/TPM space for 20 years now. It is unambiguously possible to use a TPM to detect modification of BIOS, OS, drivers, or anything else in the system, and you effectively cannot modify the TPM at all, and it has minimal attack surface (it just is a key-signing machine, essentially).

random practical explanation from someone's college papers: https://seclab.stanford.edu/pcl/cs259/projects/cs259_final_l...

Every time it's brought up (like I previously suggested that it could be used by NVIDIA/etc to disrupt mining operations from a VBIOS level) there's people who think there is some easy runaround and if there was the whole idea would be broken from the start. The TPM provides a secure root to start the cryptographic validation from, and while you can mod the software, it will be immediately evident from the attestation, and they will simply not serve the video. Or in the case of a GPU, you can have the PC attest to the drivers being official and unmodified, and if that doesn't happen the GPU refuses to clock up the memory bus, if the workload displays the characteristics of mining (100% memory load, flat and constant and low shader load).

At best it will be an arms race between TPM developers and adblock devs.

There is also the "analog gap", but that's been notionally plugged for years using HDCP. Early implementations were quickly broken, HDCP 2.3 is still doing pretty well, and it provides a massive speedbump to people who think they're just going to plug a capture card in and loop the video through.

Netflix and others have been doing this for years and the tricks are well-known at this point. Netflix doesn't push too hard, but they won't serve you the highest-quality video if you don't have a secure signal path either.

AFAIK at this point most of the "ripping" of decryption keys/etc for streaming content happens not by attacking the TPM, but by using android devices that are allowed to skate with reduced security modes, and just having a giant stack of them so when one device gets banned they throw it away and move onto the next.

gruez|2 years ago

>AFAIK at this point most of the "ripping" of decryption keys/etc for streaming content happens not by attacking the TPM, but by using android devices that are allowed to skate with reduced security modes, and just having a giant stack of them so when one device gets banned they throw it away and move onto the next.

Without a TEE (eg. trustzone), you're not going to get anything above 540p, at least with widevine. Note TEE is baked into the SoC itself, so while it's not impossible to find a bug, it's much harder than finding a exploit in android or system apps.